- SSSD now allows the responders to be activated by the systemd service manager and exit when idle. This means the
services line in sssd.conf is optional and the responders can be started on-demand, simplifying the sssd configuration. Please note that this change is backwards-compatible and the responders listed explicitly in sssd.conf's services line are managed by sssd in the same manner as in previous releases. Please refer to
man sssd.conf(5) for more information
- The sudo provider is no longer disabled for configurations that do not explicitly include the
sudo responder in the
services list. In order to disable the sudo-related back end code that executes the periodic LDAP queries, set the
- The watchdog signal handler no longer uses signal-unsafe functions. This bug was causing a deadlock in case the watchdog was about to kill a stuck process
- A bug that prevented TLS to be set up correctly on systems where libldap links with GnuTLS was fixed
- The functionality to alter SSSD configuration through the D-Bus interface provided by the IFP responder was removed. This functionality was not used to the best of our knowledge, had no tests and prevented the InfoPipe responder from running as a non-privileged user.
- A bug that prevented statically-linked applications from using libnss_sss was fixed by removing dependency on
-lpthreads from the
libnss_sss library (please see <https://sourceware.org/bugzilla/show_bug.cgi?id=20500for an example on why linking with
-lpthread from an NSS modules is problematic)
- Previously, SSSD did not ignore GPOs that were missing the gPCFunctionalityVersion attribute and failed the whole GPO processing. Starting with this version, the GPOs without the gPCFunctionalityVersion are skipped.
- The Augeas development libraries are no longer required since the configuration manipulation interface was dropped from the InfoPipe responder
- The libsss_config.so internal library was removed as well due to removal of the InfoPipe config management
- In order to manage socket-activated or bus activated responders, each responder is now represented by a systemd service file (e.g. sssd-nss.service). All responders except InfoPipe, which is bus-activated, are also managed by a socket unit file (e.g. sssd-nss.socket)
- The sssd-secrets responder gained a new option max_payload_size that allows the administrator to limit the maximum size of a secret
- A new option responder_idle_timeout was added to support idle termination of socket-activated responders
- The sssd-ad and sssd-ipa man pages now summarize differences between the generic Kerberos/LDAP back end and the specialized IPA/AD back ends
See full release notes here.